Cisco Reports Massive Brute Force Attack

The first observed attacks date back to March 18 of this year. Cisco announced the last warning of this campaign three weeks ago. At that time it was a “password spray” method targeting VPN access.

During the attacks, adversaries attempted hundreds of thousands or even millions of failed authentication attempts. Some login attempts ended with the error “Unable to complete connection. Cisco Secure Desktop not installed on the client” error. Specialists also record problems with hostscan token allocation<.

Attackers use a wide range of credentials, from commonly known usernames to organization-specific credentials. Researchers on GitHub list more than 2,000 usernames and nearly 100 passwords involved in the attacks, as well as approximately 4,000 IP addresses from which connections were made. The addresses listed come mostly from TOR exit nodes and other anonymizing tunnels and proxies. Experts note that the attacks are non-targeted and opportunistic in nature, not focused on any region or industry.

According to research, attackers target the following resources:

The following code displays a log entry where an unauthorized user attempted to access the Cisco VPN service, but their login was unsuccessful.

{"timestamp": "2023-01-0311:38:35. 000Z", "user": "unknown", "account": "*****", "result" : "FAILED_BAD_LOGIN" ,
"source_ip": "62.204.41.146", "service": "vpn", "geoip_country_code": "RU", "geoip_country_name": "Russia", "geoip_organization": "Horizon LLC", "source_data":"<166>Jan 03 2023 05:38:35 FW : %ASA-6-: Group User <*****> IP <62.204.41.146> Authentication: rejected, Session Type: WebVPN. "}
{"timestamp": "2023-01-06T11:03:59. 000Z", "user": "TestUser", "account" : "test", "result": "FAILED_BAD_LOGIN", "source_ip": "179.60.147.152", "service": "vpn", "geoip_city": "Moscow", "geoip_country_code" : "RU" , "geoip_country_name" : "Russia", "geoip_organization": "Flyservers S.A.", "geoip_region": "MOW", "source_data" : "<166>Jan 06 2023 05:03:59 FW-%ASA-6-: "}

Potential Risks

Penetrating corporate networks through VPNs or servers can give attackers access to sensitive information such as personal data. Also, through unauthorized access to VPNs, attackers can distribute malware within a company’s network, which can lead to infections of workstations and servers. Additionally, unauthorized access eventually leads to data leaks. This is unpleasant on it own, and also violates regulatory requirements such as GDPR or HIPAA, resulting in severe fines and legal consequences for the company. The number of such attacks has been increasing over time, and this trend is expected to continue.

Cisco Protection Recommendations

Cisco has provided a series of recommendations to strengthen security and prevent successful cyberattacks. These suggestions are part of the described account hacking campaign. Here are the key recommendations for organizations to minimize risk and better protect their information systems:

• Detailed logging should be configured, with logs going specifically to a remote syslog server. This allows administrators to recognize and correlate attacks across different points in the network, which is critical for rapid incident response.
• It is recommended that default remote access accounts be sinkholed. Access to these accounts should be limited or completely denied if they use the DefaultRAGroup and DefaultWEBVPNGroup profiles.
• It is recommended to use blocking lists to prevent access to VPN services from IP addresses known to be malicious.
• Configuring interface-level access lists and control planes will help filter out unverified public IP addresses and prevent them from being able to initiate remote VPN sessions.
• The shun command in Cisco IOS allows the administrator to block malicious traffic from specific IP addresses, which prevents further attack attempts.

The post Cisco Talos Warns of a Massive Brute Force Wave appeared first on Gridinsoft Blog.

Vulnerability in Cisco Unity Connection Allows for Root Access

The Unity Connection vulnerability, coded as CVE-2024-20272, is an arbitrary file upload bug discovered within the web-based management interface of Cisco Unity Connection. The vulnerability is primarily due to insufficient authentication in a specific API and improper validation of user-supplied data. Attackers could exploit this flaw by uploading arbitrary files to an affected system. This could enable them to store malicious files on the system, execute arbitrary commands and elevate their privileges to root level.

The vulnerability affects certain versions of the Cisco Unity Connection software (12.5 and earlier, and 14). But with version 15 not being susceptible. While there are no reports of the vulnerability being maliciously exploited in the wild, the seriousness of the flaw necessitates prompt action by users to apply the updates.

What is Unity Connection?

Cisco Unity Connection is a fully virtualized messaging and voicemail solution, widely used across various platforms. Those are email inboxes, web browsers, Cisco Jabber, smartphones, and tablets. The vulnerability’s critical nature stems from its potential impact on these systems, especially considering that Cisco solutions overall are frequently targeted by attackers.

Patch

Cisco has released software updates to mitigate this vulnerability for the affected versions of the Unity Connection software. The fixed versions are 12.5.1.19017-4 for version 12.5 and earlier, and 14.0.1.14006-5 for version 14.

Additionally, Cisco patched ten medium-severity security vulnerabilities in multiple products. These issues could enable attackers to escalate privileges, launch cross-site scripting (XSS) attacks, and perform command injections. Among these, a command injection vulnerability identified as CVE-2024-20287 in the web-based management interface of Cisco’s WAP371 Wireless Access Point also drew attention. However, this particular vulnerability won’t be patched by Cisco as the WAP371 device reached its end-of-life in June 2019.

Users of Cisco’s products, particularly those in IT and network management, are advised to stay informed about these updates. They should apply the necessary patches to ensure the security and integrity of their systems and data.

The post Cisco Unity Connection Vulnerability Enables Root Access appeared first on Gridinsoft Blog.

KELA analysts write that the latest leak contains hack group chats dated January-September 2022, all communication in which took place in Russian. This is an interesting nuance since initially many believed that Yanluowang was a Chinese hack group. However, some time ago this opinion began to change, since in September the hackers were already associated with Evil Corp.

Researchers say that in chats you can find conversations of group members known under the nicknames saint, killanas, and stealer. It is believed that the saint leads the group, while killanas is engaged in coding. Moreover, according to some sources, it has already been possible to calculate the pseudonyms of the attackers on various hack forums, and according to other sources, Yanluowang members have already been completely doxed, including their real names, social media accounts, and other details.

Here is what the experts have already managed to find among the “merged” data:

1. according to the chat logs, Yanluowang has existed since at least the fall of 2021, and in one of the conversations saint mentions the Nyx malware, which seems to be also used by his team;
2. from the conversation between the stealer and the tester under the nickname felix, we can conclude that the version of the Yanluowang malware for ESXi is already in development;
3. On May 14, 2022, saint revealed that the group “earned” one million US dollars in 2022 (it’s not clear if this was the total amount of buyouts or the largest of them).

In addition to the logs, you can even find screenshots on the network containing the source code for the decryption procedure for the Yanluowang ransomware.

According to Risky Business, this leak appears to be the result of a major hack. Unknown individuals not only took control of the Matrix internal chat server used by the group but also compromised the Yanluowang “leak site” on the dark web. Through the defacement of this resource, the hackers demonstrated their skills, and they posted a new blog entry on the topic. The post contained links to Telegram and Twitch accounts, where links to stolen chat logs were posted.

It is currently unclear who was behind the hack, but there are several theories, ranging from the classic version that it was a disgruntled former member of the group or an unknown information security specialist, and ending with the exotic version that it was the revenge of the Cisco security service for the hack that occurred in May.

Nevertheless, experts are confident that after such a large-scale compromise, Yanluowang operations can be put an end to, as other cybercriminals are unlikely to want to deal with a compromised group whose operational security is in question.

The post Logs of Internal Chats of the Russian Hacker Group Yanluowang Leaked to the Network appeared first on Gridinsoft Blog.

Let me remind you that last month, Cisco representatives confirmed that back in May, the company’s corporate network was hacked by the Yanluowang extortionist group. Later, the attackers tried to extort money from Cisco, otherwise threatening to publish the data stolen during the attack in the public domain.

Then the company emphasized that the hackers did not steal anything serious at all, they only managed to steal non-confidential data from the Box folder associated with the hacked employee account.

The hackers themselves contacted Bleeping Computer and told reporters that they had stolen 2.75 GB of data from the company (approximately 3,100 files), including source codes and secret documents. According to journalists, many of the files were non-disclosure agreements, data dumps and technical documentation.

For example, the attackers gave the publication a redacted version of the agreement and showed a screenshot of the VMware vCenter admin console at the cisco.com URL. The screenshot showed numerous virtual machines, including one called GitLab and used by the Cisco CSIRT.

At the same time, Cisco continued to claim that the company has no evidence that the source code was stolen.

Let me remind you that we also reported that Cisco Hack Is Linked to Russian-Speaking Hackers from Evil Corp.

As Bleeping Computer now reports, Yanluowang members have begun leaking stolen data on the dark web. Against this background, Cisco finally confirmed the data leak, but the company continues to insist that this incident did not affect the business in any way, and the leak of information does not change the initial assessment of the incident.

I note that at the end of August, cybersecurity analysts from eSentire published a report in which they presented evidence of a possible connection between the Yanluowang group and the well-known Russian-speaking hack group Evil Corp (UNC2165).

The post Ransomware publishes data stolen from Cisco appeared first on Gridinsoft Blog.

Researchers believe that malicious actors associated with Evil Corp. are behind these incidents.

Let me remind you that we also said that Cisco Won’t Fix an RCE Vulnerability in Old RV Routers.

Let me remind you that in August 2022, Cisco representatives confirmed that in May, the company’s corporate network was hacked by the Yanluowang extortionist group. Later, the attackers tried to extort money from Cisco, otherwise threatening to publish the data stolen during the attack in the public domain. Then the company emphasized that the hackers managed to steal only non-confidential data from the Box folder associated with the hacked employee account.

eSentire analysts now say that the attack could have been the work of a criminal known as mx1r. It is believed that he is a member of one of the “branches” of the well-known Russian-speaking group Evil Corp (aka UNC2165).

The researchers write that the victim’s network was initially accessed using stolen VPN credentials, and then the attackers used ready-made tools for lateral movement.

Researchers suspect mx1r’s connection with Evil Corp due to the coincidence of a number of attackers’ tactics, Including due to the organization of a kerberoasting attack on the Active Directory service and the use of RDP for promotion in the company’s network.

At the same time, despite these connections, the HiveStrike infrastructure used to organize the attack generally corresponds to the infrastructure of one of the “partners” of the Conti group, which had previously distributed the Hive and Yanluowang ransomware. These hackers eventually published the data stolen from Cisco on their dark web site.

Cisco representatives themselves wrote that the attack was most likely “carried out by an attacker who was previously an initial access broker and had connections with the UNC2447 cybercrime group, the Lapsus$ group, and the Yanluowang ransomware operators.”

These discrepancies don’t seem to bother eSentire analysts in the least:

The post Cisco Hack Is Linked to Russian-Speaking Hackers from Evil Corp appeared first on Gridinsoft Blog.

Cisco will not patch the zero-day CVE-2022-20825 vulnerability on end-of-life devices. The affected devices are Small Business RV routers (mobile routers for recreational vehicles and boats.) The specific vulnerable models are RV110W Wireless-N VPN Firewall, RV130 VPN Router, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router.

In its advisory, Cisco suggests users switch to newer models that receive all technical support and updates. For those who keep using the good old stuff, the manufacturer shows how to switch off the device remote control since the vulnerability only exists on routers with the remote management interface turned on (not a default config.) Going to Basic Settings => Remote Management and clearing the relevant tick box will be enough to secure the device, although it will lower its convenience level.

It’s no wonder the severity of vulnerability in question is rated 9.8x out of 10. It allows hackers to execute commands remotely bestowed with root privileges after sending a specially tailored request to the device. The lack of user input validation of the HTTP packets puts the four named router models in serious jeopardy

The post Cisco Won’t Fix an RCE Vulnerability in Old RV Routers appeared first on Gridinsoft Blog.

At the same time, Smith says that the attackers rewrote only 4032 lines of code in Orion, which contains millions of lines of code.

Let me remind you that in December 2020 it became known that unknown hackers attacked SolarWinds and infected its Orion platform with malware. Of the 300,000 SolarWinds customers, only 33,000 were using Orion, and the infected version of the platform was installed on approximately 18,000 customers, according to official figures.

As a result, the victims included such giants as Microsoft, Cisco, FireEye, as well as many US government agencies, including the State Department and the National Nuclear Security Administration.

Smith said that more than 500 Microsoft engineers are working on the analysis of this incident, but much more specialists “worked” on the side of the attackers:

Since the attack is attributed to a Russian-speaking hack group that cybersecurity experts track under the names StellarParticle (CrowdStrike), UNC2452 (FireEye), and Dark Halo (Volexity), Smith also compared the SolarWinds hack to large-scale attacks on Ukraine, which are also attributed to Russia (although the Russian Federation authorities deny their involvement).

The head of FireEye, Kevin Mandia, also spoke to reporters and explained the recent events.

As it turned out, a compromise was discovered in FireEye almost by accident. The fact is that to remotely log into a company’s VPN, employees need a two-factor authentication code, and their accounts are tied to phone numbers. The FireEye security service accidentally noticed that one of the employees linked two phone numbers to his account.

Let me remind you that Microsoft says SolarWinds hackers hunted for access to cloud resources.

The post Microsoft Says Over 1,000 Developers Worked on SolarWinds Attack appeared first on Gridinsoft Blog.

Just to recap, in December 2020, it was revealed that unknown hackers attacked SolarWinds, infecting its Orion platform with malware. Out of the 300,000 SolarWinds customers, only 33,000 were using Orion, and the compromised version of the platform was installed on approximately 18,000 customers’ machines, according to official figures.

As a result, victims included major entities like Microsoft, Cisco, FireEye, as well as numerous US government agencies, including the US Department of State and the National Nuclear Security Administration.

In early January, the FBI, NSA, CISA, and ODNI issued a joint statement indicating that an unnamed APT group of “probably Russian origin” was responsible for the extensive attack. The SolarWinds hack was described by officials as “an attempt to gather intelligence.”

Now, the unknown individuals claim to be ready to sell the following stolen data:

• $600,000: Microsoft Windows source codes and other data from the company’s repositories (2.6 GB);
• $500,000: source codes of various Cisco products and an internal bug tracker dump (1.7 GB);
• $50,000: private red team FireEye tools, source codes, binaries, and documentation (39 MB);
• $250,000: SolarWinds product source code (including Orion) and customer portal dump (612 MB).

The hackers offer to sell all this data in bulk for one million dollars. Additionally, the site operators mimic the well-known hack group The Shadow Brokers, stating that initially, the stolen information will be sold in batches, and later, it will be freely published in the public domain.

It’s noteworthy that while Microsoft representatives previously confirmed the possibility of source code theft, Cisco announced having no evidence of the theft of its intellectual property. The solarleaks[.]net domain is registered through the NJALLA registrar, which is popular with hackers. Attempting to check WHOIS information results in the message “You can get no info”.

It remains unknown whether the site operators possess the data they claim to have, or if SolarLeaks is an ambitious scam attempt. Journalists attempted to contact the attackers using the email address provided on the website, but it was found to be nonexistent.

The post Experts discovered SolarLeaks website with data stolen in a recent massive hacker attack appeared first on Gridinsoft Blog.

Let me remind you that unknown hackers attacked SolarWinds and infected its Orion platform with malware.

Among the victims were such giants as Microsoft, Cisco, FireEye, as well as many US government agencies, including the State Department and the National Nuclear Security Administration.

Let me remind you that SolarWinds was hacked because its credentials were publicly available on GitHub.

A new blog post on Microsoft 365 Defender does not contain new technical details, but experts write that they seem to have identified the ultimate goal of the hackers: after infiltrating companies ‘networks using the SUNBURST (or Solorigate) backdoor, hackers sought to gain access to victims’ cloud resources.

This attack is an advanced and stealthy campaign with the ability to blend in, which could allow attackers to stay under the radar for long periods of time before being detected.

Microsoft experts note that the end goal of the hackers, apparently, was the creation of SAML (Security Assertion Markup Language) tokens in order to forge authentication tokens that provide access to cloud resources. Thus, hackers were able to extract emails from the accounts of interest.

Microsoft detailed the tactics that attackers used to gain access to cloud resources of their victims:

• Using a compromised SolarWinds DLL to activate a backdoor that allowed remote control and operation of the device;
• Using a backdoor to steal credentials, escalate privileges, and sideways to create valid SAML tokens in one of two ways: steal the SAML signing certificate, add or modify existing federation trusts.
• Using generated SAML tokens to access cloud resources and perform actions leading to theft of emails and retain access to the cloud.

Let me also remind you that SolarWinds hack allowed Russian attackers to infiltrated dozens of US Treasury Department mailboxes.

The post Microsoft says SolarWinds hackers hunted for access to cloud resources appeared first on Gridinsoft Blog.